Fundamentals of PKI Authentication

It’s difficult to adequately convey the impact the Internet has had on the world. (Don’t worry; I’m not going to waste your time by trying.) But a significant portion of those advances wouldn’t be possible without proper security. Sure, we might be happy to share recipes, tweets, and photos on Instagram without assurances that our content is secure. Many such uses of the Internet are intended to be open to a global audience anyway. But the proliferation of email, banking, and ecommerce require more than mere connectivity. Security enables us to fully exploit the capabilities of the Internet. And one of those crucial technologies is Public Key Infrastructure (PKI).

What is PKI?

A PKI supports the distribution and identification of public encryption keys. It is a collection of hardware, software, and processes that support the use of public key cryptography and the means to verify the authenticity of public keys. PKI enables users and computers to verify the identity of parties they’re communicating with, and securely exchange data over private networks as well as public networks such as the Internet.

With the assurance of identities, the concept reminds me of a secret handshake. Users may exchange an envelope with a message written in code; but with PKI, both parties can be certain the person they’re exchanging with is truly who they say they are. That assurance of identity comes in the form of a digital certificate from a certificate authority (CA).

A pair of cryptographic keys — one public and one private — are used to encrypt and decrypt data. The private key is maintained by the end user and remains secure. The public key is available as part of a digital certificate within a directory that can be freely accessed.

The digital certificate links the name of an individual to their public key. The CA that issues the digital certificate signs it using its own private key. Some entity must be trusted in the entire chain, and that boils down to the certificate authority.

Today’s PKI Challenges

According to a report from the Ponemon Institute, 62% of businesses surveyed regard cloud-based services as the most important trend driving the deployment of applications using PKI, an increase from 50% in 2015. 28% say IoT will drive PKI deployment.

PKIs support an average of 8 different applications within a business. 58% of respondents stated their most significant challenge is the inability of their existing PKI to support new applications.

The use of high assurance mechanisms such as hardware security modules (HSMs) to secure PKI has increased. HSMs are deployed to secure PKIs are for the most critical root and issuing certificate authority (CA) private keys, together with offline and online root CAs.

While some higher-level security measures have increased slightly from 2015, such as multi-factor authentication for administrators and HSM usage, other best practices are ignored. In 34% of PKIs, critical private keys are protected by passwords alone, without a second factor. PKI is often referred to as providing a “chain of trust,” but as is well-known, a chain is only as strong as its weakest link and passwords create a flimsy link.

Additionally more than one-third of deployed PKIs operate without any means of certificate revocation . Digital certificates are revoked for numerous reasons, such as when a certificate’s private key has been compromised, if a certificate is discovered to be counterfeit, or compromise of the issuing CA. As certificates are the ‘root’ of the chain of trust, ensuring revoked certificates aren’t accepted is crucial.

Numerous security regulations require multi-factor authentication. Many, industries such as healthcare, critical infrastructure, law enforcement and education are challenged with implementing security protocols that will comply with regulations. For instance, higher education loan authority, MOHELA, was faced with the US Federal Information Security Management Act (FISMA). By implementing PKI smart cards with prox , MOHELA was able to integrate multi-factor logical access with their existing physical access system and successfully comply with the regulation.

Kevin Shorter, a research scientist in QinetiQ’s Trusted Information Management Group, recommends, “So before asking whether you need [a PKI], a first step is to identify the problem(s) that you need to solve.” Horses for courses, as the idiom goes. Because PKI can be used in various ways, it makes sense to first consider the specific challenge at hand.